From 79d588e8d97ee8af6dcab09262de95e40a757869 Mon Sep 17 00:00:00 2001 From: Pierre Chifflier Date: Tue, 29 Oct 2024 10:51:52 +0100 Subject: [PATCH 1/2] ldap: add port 3268 (used by Active Directory) --- rust/src/ldap/ldap.rs | 4 ++-- suricata.yaml.in | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rust/src/ldap/ldap.rs b/rust/src/ldap/ldap.rs index 4c9c3947d7a8..a8115f967037 100644 --- a/rust/src/ldap/ldap.rs +++ b/rust/src/ldap/ldap.rs @@ -617,7 +617,7 @@ const PARSER_NAME: &[u8] = b"ldap\0"; #[no_mangle] pub unsafe extern "C" fn SCRegisterLdapTcpParser() { - let default_port = CString::new("389").unwrap(); + let default_port = CString::new("[389, 3268]").unwrap(); let parser = RustParser { name: PARSER_NAME.as_ptr() as *const c_char, default_port: default_port.as_ptr(), @@ -674,7 +674,7 @@ pub unsafe extern "C" fn SCRegisterLdapTcpParser() { #[no_mangle] pub unsafe extern "C" fn SCRegisterLdapUdpParser() { - let default_port = CString::new("389").unwrap(); + let default_port = CString::new("[389, 3268]").unwrap(); let parser = RustParser { name: PARSER_NAME.as_ptr() as *const c_char, default_port: default_port.as_ptr(), diff --git a/suricata.yaml.in b/suricata.yaml.in index 7dd7cb588675..82a72bad0f3a 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -1188,11 +1188,11 @@ app-layer: tcp: enabled: yes detection-ports: - dp: 389 + dp: 389, 3268 udp: enabled: yes detection-ports: - dp: 389 + dp: 389, 3268 # Maximum number of live LDAP transactions per flow # max-tx: 1024 From f318ec6d387cfeb72e2dc8a350e286cf1a89ac0b Mon Sep 17 00:00:00 2001 From: Pierre Chifflier Date: Wed, 13 Nov 2024 15:11:22 +0100 Subject: [PATCH 2/2] ldap: add support for STARTTLS to make certificate information available Ticket: #7394. --- rust/src/ldap/ldap.rs | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/rust/src/ldap/ldap.rs b/rust/src/ldap/ldap.rs index a8115f967037..f86c8d8499d9 100644 --- a/rust/src/ldap/ldap.rs +++ b/rust/src/ldap/ldap.rs @@ -35,6 +35,8 @@ static mut LDAP_MAX_TX: usize = LDAP_MAX_TX_DEFAULT; static mut ALPROTO_LDAP: AppProto = ALPROTO_UNKNOWN; +const STARTTLS_OID: &str = "1.3.6.1.4.1.1466.20037"; + #[derive(AppLayerFrameType)] pub enum LdapFrameType { Pdu, @@ -92,6 +94,8 @@ pub struct LdapState { response_frame: Option, request_gap: bool, response_gap: bool, + request_tls: bool, + has_starttls: bool, } impl State for LdapState { @@ -115,6 +119,8 @@ impl LdapState { response_frame: None, request_gap: false, response_gap: false, + request_tls: false, + has_starttls: false, } } @@ -182,6 +188,13 @@ impl LdapState { return AppLayerResult::ok(); } + if self.has_starttls { + unsafe { + AppLayerRequestProtocolTLSUpgrade(flow); + } + return AppLayerResult::ok(); + } + if self.request_gap { match ldap_parse_msg(input) { Ok((_, msg)) => { @@ -216,6 +229,12 @@ impl LdapState { let mut tx = self.new_tx(); let tx_id = tx.id(); let request = LdapMessage::from(msg); + // check if STARTTLS was requested + if let ProtocolOp::ExtendedRequest(request) = &request.protocol_op { + if request.request_name.0 == STARTTLS_OID { + self.request_tls = true; + } + } tx.complete = tx_is_complete(&request.protocol_op, Direction::ToServer); tx.request = Some(request); self.transactions.push_back(tx); @@ -275,6 +294,17 @@ impl LdapState { match ldap_parse_msg(start) { Ok((rem, msg)) => { let response = LdapMessage::from(msg); + // check if STARTTLS was requested + if self.request_tls { + if let ProtocolOp::ExtendedResponse(response) = &response.protocol_op + { + if response.result.result_code == ResultCode(0) { + SCLogDebug!("LDAP: STARTTLS detected"); + self.has_starttls = true; + } + self.request_tls = false; + } + } if let Some(tx) = self.find_request(response.message_id) { tx.complete = tx_is_complete(&response.protocol_op, Direction::ToClient); let tx_id = tx.id();